Slashdot Mirror
Honeymonkeys Discover Undisclosed Vulnerability
spafbnerf writes "Securityfocus is running an article on Microsoft's honeymonkey project, previously covered on Slashdot. In early July 2005, this project discovered its first exploit for a vulnerability that had not been publicly disclosed, the JView profiler vulnerability which Microsoft announced later that month. "
I have no idea what Honeymonkey is, what Windows is, or even who Microsoft are.
BUT....Damn "Honeymonkey" is such a cool codename. I'm going to name my firstborn after it!
Aha, the new MS OS development team has been revealed: an infinite number of honeymonkeys at an infinite number of typewriters...
Explains a lot...
Microsoft has identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system.
I don't think I have a stronger word than DUH!
You mean to say that *gasp* a Microsoft product has a vulnerability? I refuse to believe it!
Perhaps they should start with the assumption that their applications are vulnerable, and work from there, instead of the other way around!
And they said zombies weren't real!
Don't you want people to find and fix the vulnerabilities in the OS before it goes public? Or will this just turn into another Slashdot anti-MS circle jerk?
Anonymous Coward: "This is slashdot. Accuracy is second class citizen here, unlike King Bias."
Actually this is a great initiative in my opinion and more things like this need to get done to proactively find threats and remove them from what has become a way too hostile Internet. Although I have to wonder if MS gets frustrated when they go to sites that install Claria software on their detection workstations...
News Reporters Make Tasty Polar Bear Treats!
The researchers determine whether each monkey's system has been compromised by using another ongoing project, the Strider Flight Data Recorder, which detects changes to system files and registries.
Why not build a virtual machine into the browser itself?
Sort of a special purpose virtual machine that has
just enough of an OS to run the browser.
If Microsoft refuses to remove IE from Windows, at least IE could be isolated from the rest of the operating system.
Apologies, I just need to get this out of my system.
MS "Honeymonkey" project starts netting su 9:31 10th August, 2005 Rejected
So what they did, was perhaps not in your best interest.
Procrastination -- because good things come to those who wait.
or are Microsoft's buzzwords getting way too 'weird'?
Obviously Microsoft copied the idea from the aptly named Honeypot.
Honeypot makes sense.
Why ever would anybody in their right mind come up with something as lame as 'Honeymonkey'?
Is it because Microsoft is 'getting old'? It's like the old guy saying "In my day, we used to say 'Whizzo!' when something was really neat", and the teenager laughs, and comments that it doesn't sound half as good as 'cool'.
Linux/Open Source/Anti Microsoft News
Breaking news: Microsoft has found a security hole all by itself :P
It strikes me odd, that this important security patch arrived *after* the genuine advantage update. After the genuine advantage update all our windows computers stopped making automatic updates and therefore the genuine advantage was not patched as quickly as possible. Manual interaction was required to accept the 'genuine advantage' update. I wonder how many users out there stopped watching their automatic update function to work correctly. What is the advantage of having automatic updates if you have to monitor them? What is advantage is meant in 'genuine advantage'? And why do they now publish this information, when many people out there will not have applied the patch simply because they believe they still have automatic updates running?
...this seems as a good initative, identifying the exploits used and then (hopefully) patching them and pursuing the sites in question.
:P
RTFA
It's like the old guy saying "In my day, we used to say 'Whizzo!' when something was really neat"
"We can't bust heads like we used to, but we have our ways. One trick is to tell 'em stories that don't go anywhere - like the time I caught the ferry over to Shelbyville. I needed a new heel for my shoe, so, I decided to go to Morganville, which is what they called Shelbyville in those days. So I tied an onion to my belt, which was the style at the time. Now, to take the ferry cost a nickel, and in those days, nickels had pictures of bumblebees on 'em. "Give me five bees for a quarter," you'd say. Now where were we? Oh yeah - the important thing was I had an onion on my belt, which was the style at the time. They didn't have white onions because of the war. The only thing you could get was those big yellow ones..."
"The honeymonkey client goes (to malicious Web sites) and gets exploited rather than waiting to get attacked,".
This is just CmdrTaco's way of giving some credit to MS for actually showing some initiative...
From what I can tell is that Honey, is how they pay the one thousand monkeys working for one thousand years to create their operating system. Well I for one welcome our new Ape Overlords.
"I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
I guess this puts one more hole in the "security researchers should keep security holes to themselves" coffin. Obviously there's some fairly smart people out there in the black-hat community - if there's a flaw such as the recent issue with Cisco routers, they're gonna discover it eventually.
For the love of God, please learn to spell "ridiculous"!!!
Nice'n'crunchy.
anyone that has actually been in the hacker community knows there are numerous unpublished exploits, which the manufacturer doesn't know about. it's far easier to find an exploit than it is to build a secure system.
So Microsoft has a room full of computers that do nothing but automatically surf the "questionable" parts of the web? Anybody wanna guess how many hours a day that room is packed with employees just sitting in front of a computer "doing nothing"?
I can't believe that people are lapping this up.
The so-called vulnerability that Microsoft claim to have found a 0-day for in the second week of July was actually discovered by SEC-Consult, and first published on June 29, having discovered it, and notified Microsoft on June 17. There was effectively nil response from Microsoft (they claimed to have not been able to reproduce the issue...).
While many people believe that the sample object used, the javaprxy.dll, was the flaw itself, the first paragraph of the advisory (the background) indicates that it is a COM level issue, and they identified at least 20 vulnerable objects on a standard XP installation.
It was this issue that Microsoft ignored until the recent Black Tuesday updates, and then claimed ownership of via the honey monkey project.
Sorry, guys, you can't claim something that has already been published openly, and ignored when notified.
InfoSec that matters, when it counts.
Even a monkey can find a flaw in Windows.
This is good. This should have been done by MS a long time ago and this should be an ongoing process. Everyone knows no OS is bullet proof on security terms. Better late than never.
Honeymonkey? That's almost as bad as "Microsoft Certified Systems Engineer". Probably just as worthless too.
Not necessarily. You could say there are fewer flaws to find in Windows.
On the other hand, most remote exploits for Linux depend on SSH. Want a secure desktop Linux? Turn off SSH. And remove sudo.
Besides, those flaws are in specific applications, not the OS itself, in many cases.
Also, most flaws found in Linux are patched within days of discovery, announced upon verification, and less serious than the Windows counterparts. Given those facts, I'd say that less work goes into finding Windows exploits. Perhaps more goes into patching them, though--you have to ensure compatability with a very wide range of programs from 1995 to the present. And when I find a bug, I can't submit a patch to Microsoft.
Everyone can sit disect mistakes a company like Microsoft has made, but the important thing is that they are making steps in the right direction to improve security for users. That being said they are no where near being perfect, but at this point in time what software company really is?
I love to deploy my packages
... are reader responses to an article like this. Some people just refuse to see the trees I guess.
If an indepedent, third party security company were performing these web site audits, the company wouldn't be admonished, but readers would still attack the "unfinished product" which was Windows XP unpatched. However, how can you fault a company that is trying to correct tens of years of security ignorance with new pro-active efforts?
MSFT is basically performing external penetration testing of their software while security teams are writing vulnerability scanners and focusing on individual aspects of an application's design. In fact, one could argue that this is one of the more effective ways of performing security testing since exploits in the wild can exist in the wild for months before any security company diagnoses the vulnerability and this method will identify areas of the Internet that seem to disseminate these exploits between web sites.
If you want to comment on the lack of security focus in the past, definitely. Are they playing a major game of catch up? Definitely. Should IE be so tightly meshed with the OS? Of course not. But can some of you just grow up and get past the MSFT bias and stop doing childish crap like making fun of the "honeymonkey" term or accusing workers of just sitting in the room not doing anything?
Hagrin.com
If you don't like it, GET THE FUCK OUT
How can you call it a zero-day exploit with a straight face when you found it in the wild??
sigs are for fools and trolls. no signature is *always* appropriate. you should turn them off in your preferences.
I assume that they are combining web-monkey with Honeypot. (not that they are somking anything.)
Seriously, MS has set up a bunch of machines that actively surf the web trolling for vulnerabilities. I guess it's the "If we can't code securely, at least we can find the holes to plug." theory. Considering IE, it's not a bad idea.
It would be nice if they shared the exploits with everyone, at least once a patch exists, though.
OK, good job Microsoft: Now if you could implement a "least privileges" model by default....
Why do they need a whole own setup for this? Should think analyzing what must be constant attacks on their own servers would give plenty of clue of what's going on.
Perhaps more extensive research into own source-code and a rethink of the security model in Windows would have yielded better results, blocking these attacks at the doorstep. After all, a more secure Windows would put these attackers out of business faster and more efficient, and be far easier to manage than such a hunt on the net where the attacker most likely is out of reach and jurisdiction.
One observation Microsoft makes in the report is that "Several recent reports suggest that some companies may actually be building a business model around such attacks." (Microsoft itself springs to mind; sell vulnerable system, create malware removal tools, charge customers for removal tools, PROFIT!)
The future is in beta
Regardless what you think about Microsoft, what they are doing is a good thing and something the Linux communit should consider.
Install a the newest beta of your distro of choice on whatever old hardware you have laying around and join it to a distributed network. Someone put together a list of "questionable sites". Monitor the file systems with tripwire or AIDE or something similar. Post the logs and such to the distributed network for review.
"We can't solve problems by using the same kind of thinking we used when we created them."
I do not deny that the Honeymonkey project is useful, and will be in the future (although the figures listed for number of sites with malware seems low).
Because there was a lot of contrary reporting and postings which appeared around the start of July, it is difficult to sort the wheat from the chaff in order to obtain accurate information, but I do remember reading that proof of concept code definitely existed, and was published, at the start of July, with one example being reported on the ISC Diary. I also recall a post on a mailing list that suggested that exploits were already circulating, but I can not track down a citation for that. I really would not call it a 0-day (which is probably semantics), but at least their project picked it up within two weeks of the POC being published.
To Microsoft's credit, they do publicly acknowledge SEC-Consult as being responsible for discovery of the initial flaws, on the patch information page.
Sticking with M05-38, the image handling errors which were fixed are another example where Microsoft ignored public disclosure, especially when the disclosure sparked a level of interest on the Full-Disclosure mailing list.
With respect to pen-testing, my approach has always been to obtain a copy of the target software, and to test locally, before heading out for the client systems. Although not automated like the Honeymonkeys, it achieves a similar purpose. I also think that the monkey component of the honeymonkey might refer to the crazed monkey(?) testing tool in the original Macs, which performed random input (mouse movement, clicks, keys (I think)) as part of testing for unexpected application behaviour.
InfoSec that matters, when it counts.
The approach we took was to collect an initial list of 5000+ potentially malicious URLs by doing a Web search for Windows "hosts" files [HF] that are used to block advertisements and bad sites, and lists of known-bad Web sites that host some of the most malicious spyware programs
Kinda like testing condoms with hookers.. only your condom is made by MS...
How many courses would I have to take to become a
Microsoft Certified HoneyMonkey
You can't talk about Wikipedia's flaws on Wikipedia
Mmmmmmm, Honeymonkey...
These comments are my own and do not represent the opinions of my employer, my family, my friends, or my cats.
My comments are my own, and do not represent the views of my employer, my spouse, my children, or my cats.
Wouldn't these sites eventually get smart enough to know the honeymonkey IP's and block them?
In his book "In the beginning was the command line", Neal Stephenson wrote that some newspaper articles would be indecipherable to someone who had lived in a cave for the past 50 years, because it talks about "software", "operating systems", and "windows vs. apples".
Now I am trying to figure out what someone who has lived in a cave since the Eisenhower era would make of this headline, "Honeymonkeys Discover Undisclosed Vulnerability".
"Honey... monkey? Vulnerability? Undisclosed? uuuuh?" *HEAD EXPLODES*
(Full text of In the Beginning... is on Stephenson's site)
Not published in the article is that the honeymonkeys were duped into revealing credit card numbers, costing Micro$oft hundreds of thousands of dollars.
-- Stephen.
They both refer to the same thing :P
I mean, what else do MCSEs do other than surf the questionable parts of the internet unsupervised?
Speaking of which, I'd better get back to work...
Did anyone else see the dup article about honeymonkeys from CmdrTaco that was here around 5:15pm eastern time? I guess he just deleted it to prevent humiliation.
I made a post there but it seems to be lost at this point.
And now we're back here..... uhh..
if i RTFA correctly, their honeymonkeynet found a new 0day that was previously unknown? a vulnerability that has been out there for who knows how long and has been used to exploit an unknown # of surfers? i do recall a while back some MS spokesperson saying something about how patching is bad because their patches are reverse engineered into exploits and how if MS didnt release patches, then no one would be able to write exploits... i guess that argument has been thrown out the window (again).